Total
29527 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-45074 | 1 Jfrog | 1 Artifactory | 2022-08-09 | 5.5 MEDIUM | 5.4 MEDIUM |
| JFrog Artifactory before 7.29.3 and 6.23.38, is vulnerable to Broken Access Control, a low-privileged user is able to delete other known users OAuth token, which will force a reauthentication on an active session or in the next UI session. | |||||
| CVE-2021-42029 | 1 Siemens | 71 Simatic S7-1200 Cpu, Simatic S7-1200 Cpu 1211c, Simatic S7-1200 Cpu 1212c and 68 more | 2022-08-09 | 7.2 HIGH | 7.8 HIGH |
| A vulnerability has been identified in SIMATIC STEP 7 (TIA Portal) V15 (All versions), SIMATIC STEP 7 (TIA Portal) V16 (All versions < V16 Update 5), SIMATIC STEP 7 (TIA Portal) V17 (All versions < V17 Update 2). An attacker could achieve privilege escalation on the web server of certain devices due to improper access control vulnerability in the engineering system software. The attacker needs to have direct access to the impacted web server. | |||||
| CVE-2021-45730 | 1 Jfrog | 1 Artifactory | 2022-08-09 | 4.0 MEDIUM | 4.9 MEDIUM |
| JFrog Artifactory prior to 7.31.10, is vulnerable to Broken Access Control where a Project Admin is able to create, edit and delete Repository Layouts while Repository Layouts configuration should only be available for Platform Administrators. | |||||
| CVE-2021-43939 | 1 Smartptt | 1 Smartptt Scada | 2022-08-09 | 9.0 HIGH | 8.8 HIGH |
| Elcomplus SmartPTT is vulnerable when a low-authenticated user can access higher level administration authorization by issuing requests directly to the desired endpoints. | |||||
| CVE-2021-41834 | 1 Jfrog | 1 Artifactory | 2022-08-09 | 4.0 MEDIUM | 6.5 MEDIUM |
| JFrog Artifactory prior to version 7.28.0 and 6.23.38, is vulnerable to Broken Access Control, the copy functionality can be used by a low-privileged user to read and copy any artifact that exists in the Artifactory deployment due to improper permissions validation. | |||||
| CVE-2022-1561 | 2 Krakend, Luraproject | 2 Krakend, Lura | 2022-08-08 | N/A | 4.3 MEDIUM |
| Lura and KrakenD-CE versions older than v2.0.2 and KrakenD-EE versions older than v2.0.0 do not sanitize URL parameters correctly, allowing a malicious user to alter the backend URL defined for a pipe when remote users send crafty URL requests. The vulnerability does not affect KrakenD itself, but the consumed backend might be vulnerable. | |||||
| CVE-2020-15185 | 1 Helm | 1 Helm | 2022-08-05 | 4.0 MEDIUM | 2.7 LOW |
| In Helm before versions 2.16.11 and 3.3.2, a Helm repository can contain duplicates of the same chart, with the last one always used. If a repository is compromised, this lowers the level of access that an attacker needs to inject a bad chart into a repository. To perform this attack, an attacker must have write access to the index file (which can occur during a MITM attack on a non-SSL connection). This issue has been patched in Helm 3.3.2 and 2.16.11. A possible workaround is to manually review the index file in the Helm repository cache before installing software. | |||||
| CVE-2022-26308 | 1 Pandorafms | 1 Pandora Fms | 2022-08-05 | N/A | 5.4 MEDIUM |
| Pandora FMS v7.0NG.760 and below allows an improper access control in Configuration (Credential store) where a user with the role of Operator (Write) could create, delete, view existing keys which are outside the intended role. | |||||
| CVE-2022-26310 | 1 Pandorafms | 1 Pandora Fms | 2022-08-05 | N/A | 8.8 HIGH |
| Pandora FMS v7.0NG.760 and below allows an improper authorization in User Management where any authenticated user with access to the User Management module could create, modify or delete any user with full admin privilege. The impact could lead to a vertical privilege escalation to access the privileges of a higher-level user or typically an admin user. | |||||
| CVE-2022-1799 | 1 Google | 1 Google Play Services Software Development Kit | 2022-08-05 | N/A | 9.8 CRITICAL |
| Incorrect signature trust exists within Google Play services SDK play-services-basement. A debug version of Google Play services is trusted by the SDK for devices that are non-GMS. We recommend upgrading the SDK past the 2022-05-03 release. | |||||
| CVE-2020-1761 | 1 Redhat | 1 Openshift | 2022-08-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| A flaw was found in the OpenShift web console, where the access token is stored in the browser's local storage. An attacker can use this flaw to get the access token via physical access, or an XSS attack on the victim's browser. This flaw affects openshift/console versions before openshift/console-4. | |||||
| CVE-2021-3967 | 1 Zulip | 1 Zulip | 2022-08-05 | 6.5 MEDIUM | 8.8 HIGH |
| Improper Access Control in GitHub repository zulip/zulip prior to 4.10. | |||||
| CVE-2021-4016 | 1 Rapid7 | 1 Insight Agent | 2022-08-05 | 2.1 LOW | 3.3 LOW |
| Rapid7 Insight Agent, versions prior to 3.1.3, suffer from an improper access control vulnerability whereby, the user has access to the snapshot directory. An attacker can access, read and copy any of the files in this directory e.g. asset_info.json or file_info.json, leading to a loss of confidentiality. This issue was fixed in Rapid7 Insight Agent 3.1.3. | |||||
| CVE-2021-39333 | 1 Hashthemes | 1 Hashthemes Demo Importer | 2022-08-05 | 5.5 MEDIUM | 8.1 HIGH |
| The Hashthemes Demo Importer Plugin <= 1.1.1 for WordPress contained several AJAX functions which relied on a nonce which was visible to all logged-in users for access control, allowing them to execute a function that truncated nearly all database tables and removed the contents of wp-content/uploads. | |||||
| CVE-2021-32523 | 1 Qsan | 1 Storage Manager | 2022-08-04 | 6.5 MEDIUM | 7.2 HIGH |
| Improper authorization vulnerability in QSAN Storage Manager allows remote privileged users to bypass the access control and execute arbitrary commands. Suggest contacting with QSAN and refer to recommendations in QSAN Document. | |||||
| CVE-2021-32517 | 1 Qsan | 1 Storage Manager | 2022-08-04 | 5.0 MEDIUM | 7.5 HIGH |
| Improper access control vulnerability in share_link in QSAN Storage Manager allows remote attackers to download arbitrary files using particular parameter in download function. The referred vulnerability has been solved with the updated version of QSAN Storage Manager v3.3.3. | |||||
| CVE-2021-32514 | 1 Qsan | 1 Storage Manager | 2022-08-04 | 5.0 MEDIUM | 7.5 HIGH |
| Improper access control vulnerability in FirmwareUpgrade in QSAN Storage Manager allows remote attackers to reboot and discontinue the device. The referred vulnerability has been solved with the updated version of QSAN Storage Manager v3.3.3. | |||||
| CVE-2022-36956 | 1 Veritas | 1 Netbackup | 2022-08-04 | N/A | 7.5 HIGH |
| In Veritas NetBackup, the NetBackup Client allows arbitrary command execution from any remote host that has access to a valid host-id NetBackup certificate/private key from the same domain. The affects 9.0.x through 9.0.0.1 and 9.1.x through 9.1.0.1. | |||||
| CVE-2022-23000 | 1 Westerndigital | 18 My Cloud, My Cloud Dl2100, My Cloud Dl2100 Firmware and 15 more | 2022-08-03 | N/A | 7.8 HIGH |
| The Western Digital My Cloud Web App [https://os5.mycloud.com/] uses a weak SSLContext when attempting to configure port forwarding rules. This was enabled to maintain compatibility with old or outdated home routers. By using an "SSL" context instead of "TLS" or specifying stronger validation, deprecated or insecure protocols are permitted. As a result, a local user with no privileges can exploit this vulnerability and jeopardize the integrity, confidentiality and authenticity of information transmitted. The scope of impact cannot extend to other components and no user input is required to exploit this vulnerability. | |||||
| CVE-2021-29469 | 1 Redis.js | 1 Redis | 2022-08-03 | 5.0 MEDIUM | 7.5 HIGH |
| Node-redis is a Node.js Redis client. Before version 3.1.1, when a client is in monitoring mode, the regex begin used to detected monitor messages could cause exponential backtracking on some strings. This issue could lead to a denial of service. The issue is patched in version 3.1.1. | |||||